Prepare for v0.42.0

[knqyf263]

🚀 What's new? 🚀

🔄 Convert JSON reports into different formats 📄

Trivy now includes a new subcommand to convert JSON reports into different formats. This feature allows users to transform the output of their security scans to meet their specific needs.

$ trivy image -f json -o result.json --list-all-pkgs debian:11
$ trivy convert --format cyclonedx --output result.cdx result.json

See here for the detail.

📦 Show digests for OS packages 📝

Trivy has added support for digests of OS packages such as apk, dpkg and rpm. This enhancement also includes the addition of the digest to SBOM, CycloneDX and SPDX.

$ trivy image --format cyclonedx alpine:3.17 | jq '.components[0]' | head -n 10
...

{
  "bom-ref": "pkg:apk/alpine/[email protected]?arch=x86_64&distro=3.17.3",
  "type": "library",
  "name": "alpine-baselayout",
  "version": "3.4.0-r0",
  "hashes": [
    {
      "alg": "SHA-1",
      "content": "fde5df99b613d565de9c54aa2a3ae86322bce0d1"
    }

🎛️ Specify which image sources(s) to use 🖥️

When scanning a container image (with trivy image command), Trivy will look for the image in the following order: Docker Engine, Containerd, Podman, and finally pull from registry. The new --image-src allows users to override the search order:

$ trivy image alpine:3.7.3 # default behavior
$ trivy image --image-src=podman,containerd alpine:3.7.3 # tries only podman, containerd in the specified order

See here for the detail.

Thanks to @pmengelbert for this contribution!

🎯 Support for referencing an input image by digest 📌

Trivy now supports referencing a local OCI image using the digest of its manifest.

$ trivy image --input alpine@sha256:56ae38f2f5c54b98311b8b2463d4861368c451ac17098f4227d84946b42ab96d

Thanks to @laurentiuNiculae for this contribution!

⎈ Exclude Kubernetes node from infra assessment scanning 🚩

Trivy now supports the option to exclude Kubernetes node by node labels from infra assessment scanning.

For example, to exclude AWS Fargate nodes:

trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6

🂱 Support for Terraform Plan files 🥽

Trivy now supports scanning Terraform plan files

$ tree
.
└── tfplan.json

$ trivy config .

2023-05-31T17:36:49.180-0600    INFO    Misconfiguration scanning is enabled
2023-05-31T17:36:49.651-0600    INFO    Detected config files: 1

main.tf (terraformplan)

Tests: 7 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)

<snip>

You can read more on this here.

📦 Support duplicate Dockerfile stage names 〄

It is now possible to supply a Dockerfile with stages that are not unique. For example:

FROM foo
CMD bar
FROM foo
ENTRYPOINT zzz

Misc

• Support for pnpm Lockfile v6
• Support for npm local modules

👷‍♂️ Notable Fixes 🛠️

• Don't fail Trivy scanning when a single rego check errors feat: trivy should not fail if one rego policy fails #4183
• Fix pnpm scanning fix(nodejs): update logic for parsing pnpm lock files #4502